Security Onion and RegreSSHion CVE-2024-6387

A vulnerability was recently announced in OpenSSH:

https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server

https://linux.oracle.com/cve/CVE-2024-6387.html

https://linux.oracle.com/errata/ELSA-2024-4312.html

https://linux.oracle.com/errata/ELSA-2024-12468.html

First, it's important to note the following from https://isc.sans.edu/diary/SSH+regreSSHion+Remote+Code+Execution+Vulnerability+in+OpenSSH/31046:

Exploitation for AMD64 appears to be not practical at this time.

It's also important to note that we don't recommend exposing your Security Onion SSH port to the Internet.

If your Security Onion deployment has Internet access and you have automatic OS updates enabled (which is the default setting), then it should automatically install the latest openssh packages with the patches for this vulnerability. If your Security Onion deployment is an airgap deployment, then the latest openssh packages will be included in the next ISO release.

You can use salt to query your deployment and see what version is installed across your grid:

sudo salt \* cmd.run 'rpm -qa |grep openssh-server'

On Internet-connected deployments, the current version at time of writing should be:

openssh-server-8.7p1-38.0.2.el9_4.1.x86_64

You can also use Osquery Manager to check your grid:

select * from rpm_packages where name = "openssh-server"

You can then expand the source field and verify that it shows at least:

openssh-8.7p1-38.0.2.el9_4.1.src.rpm